Category: Unit 42

Explore how macOS Gatekeeper’s security could be compromised by third-party apps not enforcing quarantine attributes effectively. The post Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

The Unit 42 Threat Frontier report discusses GenAI’s impact on cybersecurity, emphasizing the need for AI-specific defenses and proactive security. The post Unit 42 Looks Toward the Threat Frontier: Preparing for Emerging AI Risks appeared first on Unit 42. This…

Read more →

Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics. The post Lynx Ransomware: A Rebranding of INC Ransomware appeared first on Unit 42. This article has…

Read more →

Discover how North Korean attackers, posing as recruiters, used an updated downloader and backdoor in a campaign targeting tech job seekers. The post Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and…

Read more →

Four DNS tunneling campaigns identified through a new machine learning tool expose intricate tactics when targeting vital sectors like finance, healthcare and more. The post No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection appeared first on Unit…

Read more →

Researchers detail the discovery of Swiss Army Suite, an underground tool used for SQL injection scans discovered with a machine learning model. The post Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning appeared first on Unit 42. This…

Read more →

We analyze new tools DPRK-linked APT Sparkling Pisces (aka Kimsuky) used in cyberespionage campaigns: KLogExe (a keylogger) and FPSpy (a backdoor variant). The post Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy appeared first on Unit 42. This article has…

Read more →

Delve into the infrastructure and tactics of phishing platform Sniper Dz, which targets popular brands and social media. We discuss its unique aspects and more. The post Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz appeared first on Unit…

Read more →

We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain. The post Inside SnipBot: The Latest RomCom Malware Variant appeared first on Unit 42. This article…

Read more →

Discover Splinter, a new post-exploitation tool with advanced features like command execution and file manipulation, detected by Unit 42 researchers. The post Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool appeared first on Unit 42. This…

Read more →

We track a campaign by Gleaming Pisces (Citrine Sleet) delivering Linux or macOS backdoors via Python packages, aiming to infiltrate supply chain vendors. The post Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors appeared first on…

Read more →

We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors. The post Phishing Pages Delivered Through Refresh HTTP Response Header appeared first on Unit…

Read more →

Repellent Scorpius distributes Cicada3301 ransomware, using double extortion and targeting global victims since May 2024. We break down their toolset and more. The post Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware appeared first on Unit 42. This article has…

Read more →

Explore Unit 42’s review of North Korean APT groups and their impact, detailing the top 10 malware and tools we’ve seen from these threat actors. The post Threat Assessment: North Korean Threat Groups appeared first on Unit 42. This article…

Read more →

A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims’ environments for Southeast Asian espionage. The post Chinese APT Abuses VSCode to Target Government in Asia appeared first on Unit…

Read more →

Unit 42 discusses WikiLoader malware spoofing GlobalProtect VPN, detailing evasion techniques, malicious URLs, and mitigation strategies. The post Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant appeared first on Unit 42. This article has been indexed from Unit 42 Read…

Read more →

Unit 42 researchers use a novel graph-based pipeline to detect misuse of 19 new TLDs for phishing, chatbots and more in several case studies. The post TLD Tracker: Exploring Newly Released Top-Level Domains appeared first on Unit 42. This article…

Read more →

A technical analysis of deepfake technology uncovers how cybercriminals utilize AI-generated videos of public figures to execute sophisticated scams. The post The Emerging Dynamics of Deepfake Scam Campaigns on the Web appeared first on Unit 42. This article has been…

Read more →

We analyze a recent incident by Bling Libra, the group behind ShinyHunters ransomware as they shift from data theft to extortion, exploiting AWS credentials. The post Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware appeared first on…

Read more →

Unit 42 researchers use deep learning to detect cyber threats by analyzing DNS traffic, employing autoencoders and machine learning algorithms. The post Autoencoder Is All You Need: Profiling and Detecting Malicious DNS Traffic appeared first on Unit 42. This article…

Read more →

We recount an extensive cloud extortion campaign leveraging exposed .env files of at least 110k domains to compromise organizations’ AWS environments. The post Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments appeared first on Unit 42. This article…

Read more →

Find out which industries have the most rapidly expanding attack surfaces from a survey of 260+ orgs in Unit 42’s 2024 Attack Surface Threat Report. The post Unit 42 Attack Surface Threat Research: Over 23% of Internet-Connected Exposures Involve Critical…

Read more →

New research uncovers a potential attack vector on GitHub repositories, with leaked tokens leading to potential compromise of services. The post ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts appeared first on Unit 42. This article has…

Read more →

Learn about BOLABuster, an LLM-driven tool automating BOLA vulnerability detection in web applications. Issues have already been identified in multiple projects. The post Harnessing LLMs for Automating BOLA Detection appeared first on Unit 42. This article has been indexed from…

Read more →

Discover the 2024 ransomware landscape: a 4.3% increase in leak site posts compared to the first half of 2023, top targeted sectors and impacted countries. The post Ransomware Review: First Half of 2024 appeared first on Unit 42. This article…

Read more →

Russian APT Fighting Ursa (APT28) used compelling luxury car ads as a phishing lure, distributing HeadLace backdoor malware to diplomatic targets. The post Fighting Ursa Luring Targets With Car for Sale appeared first on Unit 42. This article has been…

Read more →

Unit 42 researchers discovered BOLA vulnerability CVE-2024-22278 in the cloud-native container registry Harbor. They break down its discovery and the outcomes. The post Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry appeared first on Unit 42. This article…

Read more →

A direct correlation between GenAI’s explosive popularity and scam attacks is addressed in this article, using plentiful data and a case study of network abuse. The post Scam Attacks Taking Advantage of the Popularity of the Generative AI Wave appeared…

Read more →

We explain how an automated BOLA detection tool harnessing GenAI discovered multiple BOLA vulnerabilities in open-source scheduling tool Easy!Appointments. The post AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Malware analysts demonstrate how to triage and analyze large amounts of samples with greater efficiency. Samples include Remcos RAT, Lumma Stealer and more. The post Accelerating Analysis When It Matters appeared first on Unit 42. This article has been indexed…

Read more →

This article is a detailed study of CVE-2023-46229 and CVE-2023-44467, two vulnerabilities discovered by our researchers affecting generative AI framework LangChain. The post Vulnerabilities in LangChain Gen AI appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Ransomware gang RA World rebranded from RA Group. We discuss their updated tactics from leak site changes to an analysis of their operational tools. The post From RA Group to RA World: Evolution of a Ransomware Group appeared first on…

Read more →

Unit 42 researchers test container escape methods and possible impacts within a Kubernetes cluster using a containerd container runtime. The post Container Breakouts: Escape Techniques in Cloud Environments appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Unit 42 researchers test container escape methods and possible impacts within a Kubernetes cluster using a containerd container runtime. The post Container Breakouts: Escape Techniques in Cloud Environments appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Our data shows a pattern of APK malware bundled as BadPack files. We discuss how this technique is used to garble malicious Android files, creating challenges for analysts. The post Beware of BadPack: One Weird Trick Being Used Against Android…

Read more →

Our data shows a pattern of APK malware bundled as BadPack files. We discuss how this technique is used to garble malicious Android files, creating challenges for analysts. The post Beware of BadPack: One Weird Trick Being Used Against Android…

Read more →

We perform an in-depth study of a DarkGate malware campaign exploiting Excel files from early this year, assessing its functionality and its C2 traffic. The post DarkGate: Dancing the Samba With Alluring Excel Files appeared first on Unit 42. This…

Read more →

We demonstrate effective methods to circumvent anti-analysis evasion techniques from GootLoader, a backdoor and loader malware distributed through fake forum posts. The post Dissecting GootLoader With Node.js appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

This threat brief details CVE-2024-6387, called RegreSSHion, an RCE vulnerability affecting connectivity tool OpenSSH servers on glibc-based Linux systems. The post Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

Our novel contrastive credibility propagation algorithm improves on data loss prevention and has unique applications to sensitive material. The post The Contrastive Credibility Propagation Algorithm in Action: Improving ML-powered Data Loss Prevention appeared first on Unit 42. This article has…

Read more →

Unit 42 researchers examine how attackers use publicly available Malleable C2 profiles, examining their structure to reveal evasive techniques. The post Attackers Exploiting Public Cobalt Strike Profiles appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths. The post Attack Paths Into VMs in the Cloud appeared first on Unit 42. This article has…

Read more →

A Chinese APT group is targeting political entities across multiple continents. Named Operation Diplomatic Specter, this campaign uses rare techniques and a unique toolset. The post Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target…

Read more →

This article examines the distribution of malicious payloads embedded in Microsoft OneNote files by type, a first in our research to do so at such a scale. The post Payload Trends in Malicious OneNote Samples appeared first on Unit 42.…

Read more →

We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited. The post Leveraging DNS Tunneling for Tracking and Scanning appeared first on Unit 42. This article…

Read more →

We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited. The post Leveraging DNS Tunneling for Tracking and Scanning appeared first on Unit 42. This article…

Read more →

We detail Operation MidnightEclipse, a campaign exploiting command injection vulnerability CVE-2024-3400, and include protections and mitigations. The post Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

An overview of CVE-2024-3094, a vulnerability in XZ Utils, and information about how to mitigate. The post Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094) appeared first on Unit 42. This article has been…

Read more →

Unit 42 researchers discovered CVE-2024-1313, a broken object level authorization (BOLA) vulnerability in open-source data visualization platform Grafana. The post Exposing a New BOLA Vulnerability in Grafana appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

We analyze the actions of two separate Chinese APTs — including Stately Taurus — that targeted ASEAN-affiliated entities through different methods. The post ASEAN Entities in the Spotlight: Chinese APT Group Targeting appeared first on Unit 42. This article has…

Read more →

We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript. The post Large-Scale StrelaStealer Campaign in Early 2024 appeared first on Unit 42. This article…

Read more →

Iran-linked APT Curious Serpens is using a new backdoor, FalseFont, to target the aerospace and defense industries through fake job recruitment. The post Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention appeared first on Unit 42. This article has…

Read more →

A surge in use of malware Smoke Loader by threat group UAC-0006 is highlighted in the first-ever joint research published by Unit 42 and SSSCIP Ukraine. The post Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke…

Read more →

We analyze recent samples of BunnyLoader 3.0 to illuminate this malware’s evolved and upscaled capabilities, including its new downloadable module system. The post Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled appeared first on Unit 42. This article has been indexed…

Read more →

Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses. The post Threat Group Assessment: Muddled Libra (Updated) appeared first on Unit 42. This article has been indexed from…

Read more →

This Wireshark tutorial guides the reader in exporting different packet capture objects. It builds on a foundation of malware traffic analysis skills. The post Wireshark Tutorial: Exporting Objects From a Pcap appeared first on Unit 42. This article has been…

Read more →

The RAT Bifrost has a new Linux variant that leverages a deceptive domain in order to compromise systems. We analyze this expanded attack surface. The post The Art of Domain Deception: Bifrost's New Tactic to Deceive Users appeared first on…

Read more →

We illuminate lateral movement techniques observed in the wild within cloud environments, including Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. The post Navigating the Cloud: Exploring Lateral Movement Techniques appeared first on Unit 42. This article…

Read more →

Data leaks impacting Chinese IT security services company i-Soon reveal links to prior Chinese-affiliated APT campaigns found in the data. We summarize our findings. The post Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns appeared…

Read more →

Dynamic-link library (DLL) hijacking remains a popular technique to run malware. We address its evolution using examples from the realm of cybercrime and more. The post Intruders in the Library: Exploring DLL Hijacking appeared first on Unit 42. This article…

Read more →

CVE-2024-1708 and CVE-2024-1709 affect ConnectWise remote desktop application ScreenConnect. This Threat Brief covers attack scope and includes our telemetry. The post Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709) appeared first on Unit 42. This article has been indexed from…

Read more →

Fundamental insights from Unit 42’s 2024 Incident Response report are summarized here. The post 2024 Unit 42 Incident Response Report: Navigating the Shift in Cybersecurity Threat Tactics appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

Insidious Taurus, aka Volt Typhoon, is a nation-state TA attributed to the People’s Republic of China. We provide an overview of their current activity and mitigations recommendations. The post Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt…

Read more →

New zero-day vulnerability CVE-2023-50358 affects QNAP Network Attached Storage (NAS) devices. Our analysis includes its impact determined by our product data. The post New Vulnerability in QNAP QTS Firmware: CVE-2023-50358 appeared first on Unit 42. This article has been indexed…

Read more →

A 2023 Glupteba campaign includes an unreported feature — a UEFI bootkit. We analyze its complex architecture and how this botnet has evolved. The post Diving Into Glupteba's UEFI Bootkit appeared first on Unit 42. This article has been indexed…

Read more →

Analysis of ransomware gang leak site data reveals significant activity over 2023. As groups formed — or dissolved — and tactics changed, we synthesize our findings. The post Ransomware Retrospective 2024: Unit 42 Leak Site Analysis appeared first on Unit…

Read more →

Analysis of ransomware gang leak site data reveals significant activity over 2023. As groups formed — or dissolved — and tactics changed, we synthesize our findings. The post Ransomware Retrospective 2024: Unit 42 Leak Site Analysis appeared first on Unit…

Read more →

Evaluation of a new variant of Mispadu, a banking Trojan, highlights how infostealers evolve over time and can be hard to pin to past campaigns. The post Exploring the Latest Mispadu Stealer Variant appeared first on Unit 42. This article…

Read more →

A network of over 130k domains was part of a campaign to deliver shareware, PUPs and other scams. We unravel the threads of this campaign from entry point to payload. The post ApateWeb: An Evasive Large-Scale Scareware and PUP Delivery…

Read more →

We analyze the extremely active ransomware group BianLian. Mostly targeting healthcare, they have moved from double-extortion to extortion without encryption. The post Threat Assessment: BianLian appeared first on Unit 42. This article has been indexed from Unit 42 Read the…

Read more →

Traffic detection system Parrot has infected tens of thousands of websites worldwide. We outline the scripting evolution of this injection campaign and its scope. The post Parrot TDS: A Persistent and Evolving Malware Campaign appeared first on Unit 42. This…

Read more →

Ivanti VPNs can be exploited by CVE-2023-46805 (High severity) and CVE-2024-21887 (Critical severity), chained together to run commands without authentication. The post Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 (Updated) appeared first on Unit 42. This article has been indexed…

Read more →

Ivanti VPNs can be exploited by CVE-2023-46805 (High severity) and CVE-2024-21887 (Critical severity), chained together to run commands without authentication. The post Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 appeared first on Unit 42. This article has been indexed from…

Read more →

Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users. The post Financial Fraud APK Campaign appeared first on Unit 42. This article has been indexed…

Read more →

Medusa ransomware gang has not only escalated activities but launched a leak site. We also analyze new TTPS encountered in an incident response case. The post Medusa Ransomware Turning Your Files into Stone appeared first on Unit 42. This article…

Read more →

Using extractors written in Python, we detail our system for extracting internal malware configurations from memory dumps. GuLoader and RedLine Stealer are our examples. The post Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer appeared first on Unit 42. This…

Read more →

From October-December, the activities of DarkGate, Pikabot, IcedID and more were seen and shared with the broader community via social media The post From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence appeared first on…

Read more →

Two issues in Google Kubernetes Engine (GKE) create a privilege escalation chain. We examine second-stage attacks which exploit the container environment. The post Dual Privilege Escalation Chain: Exploiting Monitoring and Service Mesh Configurations and Privileges in GKE to Gain Unauthorized…

Read more →

Malicious JavaScript is used to steal PPI via survey sites, web chat APIs and more. We detail how JavaScript malware is implemented and evades detection. The post Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript…

Read more →

Using machine learning to target stockpiled malicious domains, the results of our detection pipeline tool highlight campaigns from phishing to scams. The post Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains appeared first on Unit 42. This…

Read more →

In three campaigns over the past 20 months, Russian APT Fighting Ursa has targeted over 30 organizations of likely strategic intelligence value using CVE-2023-23397. The post Fighting Ursa Aka APT28: Illuminating a Covert Campaign appeared first on Unit 42. This…

Read more →

A new toolset comprised of malware (Agent Raccoon and Ntospy) and a custom version of Mimikatz (Mimilite) was used to target organizations in the U.S., Middle East and Africa. The post New Tool Set Found Used Against Organizations in the…

Read more →

A new toolset comprised of malware (Agent Raccoon and Ntospy) and a custom version of Mimikatz (Mimilite) was used to target organizations in the U.S., Middle East and Africa. The post New Tool Set Found Used Against Middle East, Africa…

Read more →

A security risk discovered in the Google Cloud Platform domain-wide delegation feature allows a user to generate an access token to Google Workspace, granting unauthorized access to data and other key tools. The post Exploring a Critical Risk in Google…

Read more →

Two ongoing campaigns bear hallmarks of North Korean state-sponsored threat actors, posing in job-seeking roles to distribute malware or conduct espionage. The post Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors appeared first…

Read more →

We observed three Stately Taurus campaigns targeting entities South Pacific entities with malware, including the Philippines government. The post Stately Taurus Targets the Philippines As Tensions Flare in the South Pacific appeared first on Unit 42. This article has been…

Read more →

In July 2023, pro-Russian APT Storm-0978 targeted support for Ukrainian NATO admission with an exploit chain. Analysis of it reveals the new CVE-2023-36584. The post In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584 appeared first on Unit…

Read more →

In July 2023, pro-Russian APT Storm-0978 targeted support for Ukrainian NATO admission with an exploit chain. Analysis of it reveals the new CVE-2023-36584. The post In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584 appeared first on Unit…

Read more →

Clickbait articles are highlighted in this article. A jump in compromised sites exploiting CVE-2023-3169 stresses the danger of web-based threats. The post High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites appeared…

Read more →

Cambodian government entities were targeted by a Chinese APT masquerading as cloud backup services. Our findings include C2 infrastructure and more. The post Chinese APT Targeting Cambodian Government appeared first on Unit 42. This article has been indexed from Unit…

Read more →

A cyberattack series by APT Agonizing Serpens (Agrius) targeting Israeli sectors started in January 2023. We analyze the novel wipers and other tools used. The post Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors appeared first…

Read more →

Threat brief on CVE-2023-4966 (aka Citrix Bleed) affecting multiple Netscaler products covers attack scope, threat hunting queries and interim guidance. The post Threat Brief: Citrix Bleed CVE-2023-4966 appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

Unit 42 uses machine learning to create detection for a red team tool used by threat actors. The post Conducting Robust Learning for Empire Command and Control Detection appeared first on Unit 42. This article has been indexed from Unit…

Read more →

We examine a variant of the .NET backdoor Kazuar used by Pensive Ursa. This includes previously undocumented features from system profiling to injection modes. The post Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive…

Read more →

We analyze an attack path starting with GitHub IAM exposure and leading to creation of AWS Elastic Compute instances — which TAs used to perform cryptojacking. The post CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys appeared…

Read more →

A breakdown of how Linux pluggable authentication modules (PAM) APIs are leveraged in malware. We include malware families that leverage PAM. The post When PAM Goes Rogue: Malware Uses Authentication Modules for Mischief appeared first on Unit 42. This article…

Read more →